Pulse: Cyber security

5 September 2017

When it comes to cyber security, it can be hard to separate the important from the sensational.
Through regular bulletins, we'll do the hard yards for you so that you
can keep your finger on the pulse with the latest cyber security trends,
incidents, legal issues and regulatory activity. Plus, we'll make sure that you have a good cyber story to tell at your next dinner party.

We'd love to hear from you, so please let us know if you're in need of more detail or if there's something in particular that you'd like to hear about.

In our first issue: we look at the outcome of the OAIC's investigation into the Australian Red Cross data breach, lessons learnt from one of the largest cyber attacks in history, directors' liability in relation to cyber resilience, the incoming notifiable data breaches scheme, the NSW Government's recent $11.4 million investment to help tackle critical technology challenges including cyber security, and the Federal Government's new mission to decode cyber vernacular.

OAIC concludes investigation of Australian Red Cross data breach

In brief: A one-off human error by a third party provider's employee led to a massive data breach that hit the Australian Red Cross Blood Service late last year. Nearly a year after the breach, the Australian Information and Privacy Commissioner, Timothy Pilgrim, has concluded his investigation.

What happened?

In October 2016, a database file containing information relating to approximately 550,000 prospective blood donors was inadvertently saved to a publicly accessible portion of a webserver managed by an employee of the third party provider, Precedent Communications. Some of the accessible information was particularly sensitive and related to sexual behaviours.

The Red Cross became aware of the breach after an unknown individual who discovered the vulnerability contacted a cyber security expert, Troy Hunt. Mr Hunt then contacted the Australian Cyber Emergency Response Team (AusCERT) who notified the Red Cross. AusCERT also contacted the internet service provider who hosted the website to have access to the website removed.

How did the Red Cross respond?

Upon being notified of the breach, the Red Cross took immediate steps to contain it. These included:

confirming (through AusCERT) that a copy of the data file held by the unknown individual and Mr Hunt had been deleted;

engaging an identity and cyber support service to undertake a risk assessment of the information compromised;

issuing press releases confirming that a data breach had occurred and publishing statements on its website and social media sites;

establishing a dedicated website, telephone hotline and an email inquiry facility to respond to public enquiries;

notifying affected individuals via text message and email; and

engaging specialist organisations to conduct a forensic analysis on the exposed server, to monitor their website for any vulnerabilities or unusual activity and to monitor the dark web for evidence that the data was being traded.1

Outcome of the OAIC's Investigation

The Commissioner found that the Red Cross had failed to implement contractual or other measures to ensure that Precedent Communications had adequate security arrangements. Nonetheless, the Commissioner commended the Red Cross for its quick response and handling of the breach, noting that its response provides a model of good practice for other organisations.

Steps taken by the Red Cross

Since the incident, the Red Cross has enhanced its information handling practices and provided an enforceable undertaking to engage an independent reviewer to review its third party management policy and standard operating procedure. Precedent Communications has also provided an enforceable undertaking with the Commissioner’s office to establish a data breach response plan and to update its privacy and data protection policy.

Spotlight: Cyber breach at Target

In brief: There's a joke in the cyber security industry that there are two types of companies: those that know they have been hacked, and those that haven't yet found out. In November 2013, Target Corporation in the US learned this the hard way when it was told by law enforcement agencies that it had been subject to one of the largest cyber attacks in history. Not long before Christmas, hackers stole credit and debit card information for 40 million Target customers, as well as home and email addresses for an additional 70 million customers.2

What happened?

In September 2013, hackers initiated a phishing email campaign against one of Target's external heating and ventilation providers. Target did not monitor the provider's security arrangements. An employee of the provider opened a malicious link in the phishing email which enabled hackers to steal credentials that gave them access to Target's network, giving them access to sensitive customer payments and personal data.
Using this access, the hackers were then able to install malware on 1800 point-of-sale terminals (POS) between 15 and 28 November 2013 which, in turn, allowed the hackers to collect encrypted data as it passed from the POS systems to the payment processing providers Visa and MasterCard. By 30 November,
the malware had been installed on the majority of Target's POS system.

On 12 December 2013, law enforcement agencies contacted Target about the breach and the malware was removed from its POS systems on 15 December 2013.

Interestingly, Target's security team had raised vulnerabilities in Target's POS system and had
suggested a review of Target's payment network only two months before the
attacks. Those suggestions were not acted upon. Target also failed to act on alerts from its anti-intrusion software that attackers were installing malware in its network.

Target did not immediately disclose its breach, with the first suggeston that
a breach had occurred coming from an online security blog. One week later, the company announced the breach and the theft of its data, and Target customers began
identifying fraudulent transactions on their accounts.

The aftermath

To date, this cyberattack is estimated to have cost Target more than $200 million, with only a $90 million reimbursement from its cyber insurance policy.
At the end of the day, that cost may be even more significant. The breach impacted on Target in the following ways:

Reputational damage: Target's image suffered significantly. The company was criticised for
the time it took to make the breach public and its customer service department's
failures to effectively handle customer inquiries.

Financial costs: In its quarterly financial results after
the breach, Target posted a 46 per cent decline in profits and a 5.3 per cent drop in revenue.

Internal upheaval: Target's CEO and Chief Information Officer
both resigned. Target also created two new positions: the Executive Vice-President and Chief Information Security Officer and the Executive Vice President and Chief Compliance Officer.

Regulatory investigations: Target faced investigations by Congressional committees, the Securities and Exchange Commission (SEC), the Department of Justice and the Federal Trade Commission.

Legal costs: More than 140 legal actions were launched
against Target, several of which were class actions. The courts divided the actions into three groups: financial institutions, consumers and shareholders.

Consumers accused Target of negligence in its handling of customer data, violation of state consumer laws and state data breach laws, breach of contract, breach of the duty of care arising under a bailment of the data and unjust enrichment because part of the money paid for goods and services should have been, but was not, used by Target to provide adequate safeguards and security measures.

The banks (making up 29 of the claims) sought reimbursement from Target for costs arising from the breach, claiming that Target was negligent
as its data security was insufficient and it had failed to implement or adhere to federal laws surrounding processing credit card payments.

Finally, shareholders alleged that directors had breached their fiduciary duties.

Target has since settled with Visa for US$67 million, MasterCard for US$39 million and created a US$10 million consumer fund for affected consumers, following several class actions. In the first instance, consumers with documented losses can receive reimbursement up to US$10,000 out of the US$10 million fund. Those losses could include unauthorised, unreimbursed charges on credit cards, time spent addressing unauthorised charges, higher interest fees that were paid, other fees paid on accounts (eg late payment fees and card cancellation or replacement fees), costs to replace identification documents (eg drivers' licence) and costs of credit monitoring or correcting credit reports. After payment for documented losses is made, consumers who submit valid claims without documentation will receive an equal share of the remaining funds.

Key takeaways

Management of third party service providers: Ensure that you robustly manage your third party service providers, not only through contractual provisions, but also by undertaking due diligence and conducting regular testing and audits.

Evaluating risk: Ensure that your business' processes for detecting, preventing and responding to a cyber incident work from top to bottom. Consider war gaming or testing your entire cyber response capability. Alerts software doesn't work if you don't pay attention to an alert.

Directors' duties: Directors and officers of companies must have a thorough understanding of a company's cyber security systems and take responsibility to ensure that those systems operate effectively.

Bare minimum not enough to beat cybercrime: Target had multiple layers of protection in place, including: segmentation; firewalls; malware detection software; intrusion detection software; prevention tools; and plans to prevent data loss. It also complied with international standards. This breach demonstrates once again that when seeking to ensure cyber resilience, compliance with standards is the 'floor and not the ceiling'.

Directors' duties and cyber resilience

In brief: The Target data breach brought the liability of boards and directors in relation to cyber resilience into focus. Target's shareholders brought litigation against all of its directors, the chief financial officer and the chief information officer due to what was perceived as recklessness and disregard for their duties as directors. Directors' liability in relation to cyber security hasn't yet been tested in Australia, but it's only a matter of time.

The key question for directors is how cyber resilient is your organisation? Cyber resilience is an organisation’s ability to prepare for and quickly respond to a cyber attack.

When can a director be held liable?

In Australia, there are two instances in which a company director could be held liable for a cyber breach:

Privacy Act: a company director could be subject to a civil penalty for a breach of the Privacy Act if they engage in, aid, abet, are knowingly concerned in or are a party to, serious or repeated interferences with privacy.

Duty of care and diligence: directors must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in the circumstances. If a director failed to exercise care and diligence in relation to a company's cyber resilience, they could be found to be in breach of this duty.

We haven't yet seen either of these possibilities eventuate in Australia, but that's only a matter of time. For example, directors might be held to be liable where a board is informed that a company has serious cyber security vulnerabilities but the board resolves not to spend money to address those issues.

What should directors do?

In Australia, there is clear appetite for boards to understand their company's cyber profile but there is still a way to go. The ASX's recent Cyber Health Check survey on Australia's top 100 listed companies found that only 34 per cent of boards had clearly defined risk appetite for cyber and only 11 per cent of boards had a clear understanding of where the company's key information or data assets were being shared with another provider.3 ASIC Commissioner Cathie Armour has commented that board members should 'be actively thinking about whether cyber security should be assessed more regularly than other risks' and should 'think about lifting their capability' in the area.4

Incoming Notifiable Data Breaches Scheme

In brief: There is no current legal obligation under the Privacy Act to notify either the Privacy Commissioner or affected individuals where you suffer a data breach. However, mandatory data breach notification laws will take effect in Australia from 22 February 2018.

Summary of scheme

The scheme applies to all Australian companies that are currently subject to the Privacy Act.

Where an entity is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’ of the entity it must notify the Privacy Commissioner and affected individuals.

In short, an 'eligible data breach' occurs where there is unauthorised access to, disclosure of or loss of personal information, which is likely to result in serious harm to affected individuals.

Depending on the circumstances, there are three options for notification to individuals to whom an eligible data breach relates:

Option 1: notifying each of the individuals to whom the relevant information relates.

Option 2: notifying only those individuals at risk of serious harm from the eligible data breach.

Option 3: where neither options 1 or 2 are practicable, the entity must publish a copy of the prescribed matters on their website and take reasonable steps to publicise the contents of those statements.

A key exception to the notification obligation is where effective 'remedial action' has been taken before the breach causes serious harm.

Key takeaways

Updating internal processes: Review and implement your data breach response plans. The OAIC will release additional guidance over the next few months to help businesses and agencies prepare for changes.

Third party providers: Businesses will need to consider the implications of the notification regime in relation to outsourcing or other arrangements with third parties who hold personal information for the organisation.

NSW to bolster cyber security

In brief: The NSW Government has recently announced a new $11.4 million investment to address emerging technology challenges including cyber security.

On 4 August 2017, the NSW Government announced an $11.4 million agreement with data innovation group Data61, to help tackle some of the state's top technology challenges, including cyber security. The three-year agreement is jointly funded by the Department of Industry and the Department of Finance, Services and Innovation.

The initial focus of the collaboration with Data61 involves two key projects:

Cyber security: trialling of different artificial intelligence models to identify existing and emerging security threats; and

Blockchain: assessing how blockchain and other technologies can be used to share cyber security information across government agencies.

In the Know: Cyber vernacular

In brief: The Department of Prime Minister and Cabinet has recently considered an early draft of a document defining a new 'cyber lexicon' at a roundtable hosted by Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security. The document, titled 'Words Matter: Australia's Cyber Security Lexicon' aims to improve clarity in government communications about cyber security.5

The draft considers 'contentious' cyber security terms that belong to the commonly used, but perhaps not properly understood, cyber vernacular, including: cyberattack, cyber terrorism, cyber warfare, cyber war, cyber weapons and active cyber defence. The draft recognises that these terms are sometimes sensationalist, confusing and have been used to describe a wide variety of activity with differing sophistication and impact.

The draft also addressed whether 'cyber' could be used as a noun or verb, preferring that the term be limited to use as an adjective or a prefix. One point that the roundtable clearly agreed upon was that hyphens have no place in the cyber vernacular.

Footnotes

'Autopsy of a Data Breach: The Target Case' (2016) authored by Professor Line Dubé (HEC Montréal's Department of Information Technologies) and 'Cyber Breach at Target' (2016) authored by Professor Suraj Srinivasan, Professor Lynn Paine and Research Associate Neeraj Goyal (Harvard Business School) provide digestible, detailed and well researched analysis of the Target cyber breach. Both articles are available through the Harvard Business Review website.

To save this publication on your smartphone or
tablet for off-line reading
(eg on a plane flight),
we recommend
Pocket.

You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.